// https://syzkaller.appspot.com/bug?id=474b770699dcb3d34227402eec8317323009af19 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void execute_one(); extern unsigned long long procid; static void loop() { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); execute_one(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) { break; } usleep(1000); if (current_time_ms() - start < 3 * 1000) continue; kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one() { long res = 0; res = syscall(__NR_socket, 0x11, 0x100000803, 0); if (res != -1) r[0] = res; memcpy((void*)0x200001c0, "/dev/net/tun", 13); res = syz_open_dev(0x200001c0, 0, 0x20000000002); if (res != -1) r[1] = res; memcpy((void*)0x20000040, "\x69\x66\x62\x30\x00\xfa\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00", 16); *(uint16_t*)0x20000050 = 0x5001; syscall(__NR_ioctl, r[1], 0x400454ca, 0x20000040); memcpy((void*)0x20000000, "\x69\x66\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000010 = 0xa201; syscall(__NR_ioctl, r[0], 0x8914, 0x20000000); *(uint8_t*)0x20000480 = -1; *(uint8_t*)0x20000481 = 0; *(uint16_t*)0x20000482 = 0; *(uint16_t*)0x20000484 = 0; *(uint16_t*)0x20000486 = 0; *(uint16_t*)0x20000488 = 0; STORE_BY_BITMASK(uint8_t, 0x2000048a, 6, 0, 4); STORE_BY_BITMASK(uint8_t, 0x2000048a, 6, 4, 4); STORE_BY_BITMASK(uint8_t, 0x2000048b, 0, 0, 2); STORE_BY_BITMASK(uint8_t, 0x2000048b, 0, 2, 6); *(uint16_t*)0x2000048c = htobe16(0x1c); *(uint16_t*)0x2000048e = htobe16(0); *(uint16_t*)0x20000490 = htobe16(0); *(uint8_t*)0x20000492 = 0; *(uint8_t*)0x20000493 = 0; *(uint16_t*)0x20000494 = 0; *(uint32_t*)0x20000496 = htobe32(0); *(uint32_t*)0x2000049a = htobe32(0xe0000001); *(uint8_t*)0x2000049e = 0; *(uint8_t*)0x2000049f = 0; *(uint16_t*)0x200004a0 = 0; *(uint32_t*)0x200004a2 = htobe32(0xe0000001); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x2000049e, 8); *(uint16_t*)0x200004a0 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x2000048a, 20); *(uint16_t*)0x20000494 = csum_inet_digest(&csum_2); syscall(__NR_write, r[1], 0x20000480, 0xfdef); res = syscall(__NR_socket, 0xa, 1, 0); if (res != -1) r[2] = res; memcpy((void*)0x20000000, "\x00\x00\xce\x9d\x26\xde\x00\x13\x09\x59\x3a\xb0" "\xbb\xec\xd7\x54\x01\x00\x00\x00\x02", 21); syscall(__NR_ioctl, -1, 0xc020660b, 0x20000000); syscall(__NR_ioctl, r[2], 0x8916, 0x20000000); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }